2228689 – (CVE-2023-3978) CVE-2023-3978 golang.org/x/net/html: Cross site scripting

Bug 2228689 (CVE-2023-3978) - CVE-2023-3978 golang.org/x/net/html: Cross site scripting

Summary: CVE-2023-3978 golang.org/x/net/html: Cross site scripting

Keywords:
Status:	NEW
Alias:	CVE-2023-3978
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2228806 2228807 2228808 2228810 2228811 2228812 2228813 2228814 2228815 2228824 2228825 2229577 2229578 2229579 2229580 2229581 2229583 2229584 2229585 2229586 2229587 2229588 2229589 2229590 2229591 2229592 2229593 2229594 2229595 2229596 2229597 2229598 2229600 2229601 2229602 2229603 2229604 2229605 2229607 2229608 2229610 2229611 2229582 2229599
Blocks:	2228694
TreeView+	depends on / blocked

Reported:	2023-08-03 05:50 UTC by Avinash Hanwate
Modified:	2023-08-07 12:58 UTC (History)
CC List:	83 users (show)
Fixed In Version:	golang.org/x/net/html 0.13.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Golang HTML package where it is vulnerable to Cross-site scripting caused by the improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute a script in a victim's web browser within the security context of the hosting website once the URL is clicked. The flaw allows an attacker to steal the victim's cookie-based authentication credentials.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2023-08-03 05:50:06 UTC

Text nodes not in the HTML namespace are incorrectly literally rendered, causing text which should be escaped to not be. This could lead to an XSS attack.

https://go.dev/issue/61615
https://go.dev/cl/514896
https://pkg.go.dev/vuln/GO-2023-1988

Comment 6 Avinash Hanwate 2023-08-07 05:38:23 UTC

Created caddy tracking bugs for this issue:

Affects: fedora-all [bug 2229582]


Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229583]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-all [bug 2229577]


Created cri-o:1.21/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229584]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229585]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229586]


Created cri-o:1.25/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229587]


Created cri-o:1.26/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229588]


Created cri-o:1.26/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229589]


Created cri-o:1.27/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2229590]


Created cri-o:1.27/cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229591]


Created cri-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229592]


Created gh tracking bugs for this issue:

Affects: fedora-all [bug 2229593]


Created golang-github-docker-slim tracking bugs for this issue:

Affects: fedora-all [bug 2229594]


Created golang-github-onsi-ginkgo-2 tracking bugs for this issue:

Affects: fedora-all [bug 2229595]


Created golang-github-projectdiscovery-chaos-client tracking bugs for this issue:

Affects: fedora-all [bug 2229596]


Created golang-googlecode-net tracking bugs for this issue:

Affects: epel-all [bug 2229578]


Created golang-k8s-kube-aggregator tracking bugs for this issue:

Affects: fedora-all [bug 2229597]


Created golang-vitess tracking bugs for this issue:

Affects: fedora-all [bug 2229598]


Created golang-x-net tracking bugs for this issue:

Affects: epel-all [bug 2229579]
Affects: fedora-all [bug 2229599]


Created golang-x-tools tracking bugs for this issue:

Affects: fedora-all [bug 2229600]


Created hugo tracking bugs for this issue:

Affects: fedora-all [bug 2229601]


Created kompose tracking bugs for this issue:

Affects: epel-all [bug 2229580]


Created migrate tracking bugs for this issue:

Affects: fedora-all [bug 2229602]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 2229603]


Created osbuild-composer tracking bugs for this issue:

Affects: fedora-all [bug 2229604]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2229605]


Created rclone tracking bugs for this issue:

Affects: epel-all [bug 2229581]


Created shellz tracking bugs for this issue:

Affects: fedora-all [bug 2229607]


Created xq tracking bugs for this issue:

Affects: fedora-all [bug 2229608]

Comment 7 Avinash Hanwate 2023-08-07 05:45:38 UTC

Created rclone tracking bugs for this issue:

Affects: fedora-all [bug 2229610]

Note You need to log in before you can comment on or make changes to this bug.

aazores
adudiak
amctagga
bbaude
chazlett
davidn
dcadzow
dfreiber
dkenigsb
dshah
dwalsh
dymurray
eaguilar
ebaron
eglynn
ellin
epacific
fdeutsch
gparvin
ibolton
jaharrin
jburrell
jcammara
jcantril
jeder
jhardy
jjoyce
jkang
jkoehler
jligon
jmatthew
jmontleo
jneedle
jnovy
jobarker
jpallich
jschluet
jwendell
kshier
lgamliel
lhh
lsm5
mabashia
mboddu
mburns
mfilanov
mgarciac
mheon
muagarwa
nboldt
njean
nobody
oramraz
osapryki
osbuilders
owatkins
pahickey
periklis
pgrist
pjindal
pthomas
rcernich
rfreiman
rjohnson
rogbas
scorneli
sfroberg
sgott
simaishi
slucidi
smcdonal
smullick
sseago
stcannon
teagle
tfister
tkral
tsweeney
twalsh
vkumar
whayutin
yguenane
zsadeh